UserLock Documentation
UserLock Documentation
You are here: Reference > Console > Server administration > Priority management

Priority management

A 'Protected account' is a set of rules allowing you to define network access conditions. A 'Protected account' can be defined for a user account, a group or an organizational unit. From version 8.5, UserLock details two kinds of protected accounts: permanent protected accounts and temporary protected accounts. Unlike the permanent protected account, the temporary account is only valid for a set period of time, defined by start and end dates.

A user may therefore be a member of several protected accounts (user, group or organizational unit) either permanent or temporary.

When a new protected account is created, rules/restrictions are set to 'Not configured' by default. A rule/restriction is considered as configured when its value is different from 'Not configured'.

UserLock manages priorities to process the correct rule after considering the type and category of the protected accounts involved, as well as the policy defined in the UserLock server properties.

Priority criteria

The protected account type:

  • Permanent: Set of rules without time limit.
  • Temporary: Set of rules for a specified period of time.
    Temporary accounts always have priority over permanent accounts.

The protected account category:

  • User: Set of rules applicable to a specific user account.
  • Group: Set of rules applicable to each member of a specified group.
  • Organizational Unit: Set of rules applicable to each member of a specified organizational unit.

The UserLock Server Policy:

  • The most restrictive: Applies the most restrictive rule in case of equal priority level.
  • The least restrictive (by default): Applies the least restrictive rule in case of equal priority level.

Priority levels

UserLock supports an order based on the following levels, from highest priority to lowest priority:

Level 1: A User temporary protected account.

Level 2: A Group or Organizational Unit temporary protected account.

Level 3: A User permanent protected account.

Level 4: A Group or Organizational Unit permanent protected account.


This means that:

  • If a user is both a member of a temporary account and one or more permanent accounts (user, group, or organizational unit), a configured rule on the temporary account will always take priority, regardless of which UserLock policy is defined (more or less restrictive). This UserLock policy is only taken into consideration to prioritize which rule to apply in case of equality of same level 2 or 4.

    Examples:

    Alice is a member of a Group permanent protected account named 'Everyone' allowing one workstation session.
    Alice is also a member of a temporary protected account named 'Everyone' allowing three workstation sessions.
    The same rule limiting the maximum number of workstation sessions is defined here in two protected accounts. As temporary rules always have priority over permanent rules, Alice will be able to open a maximum of three workstation sessions while the temporary rule is active.

    Bob is a member of a Group permanent protected account named 'Everyone' allowing one workstation session.
    Bob is also a member of a permanent protected account named 'Group-A' allowing two workstation sessions.
    The same rule limiting the maximum number of workstation sessions is defined here in two Group protected accounts having the same type i.e. permanent. This means that they have the same priority level (level 4). In this situation the rule applied will depend on the UserLock Server Policy configured (the most or the least restrictive).

    Carol is a member of a Group permanent protected account named 'Group-A' allowing two workstation sessions.
    Carol is also a member of a temporary protected account named 'Group-B' allowing five workstation sessions.
    With the UserLock Server Policy being configured to 'The least restrictive' Carol can therefore open a maximum of five simultaneous workstation sessions.
    However a temporary protected account associated with the group named 'Group-A' has been created and activated to temporarily authorize three workstation sessions. As temporary rules always have priority over permanent rules, Carol will only be able to open a maximum of three workstation sessions during the activation period for this temporary rule associated with 'Group-A'.

    Important: When a user is a member of several group or organizational unit permanent protected accounts for which the same rule is defined, if a temporary protected account also having the same rule is activated, then the rule applied will be the one defined on this temporary account.
    As temporary rules always have priority over permanent rules, membership in any other permanent protected account will be ignored during the period the temporary account is active.

  • If a user is both a member of a user protected account and a group or organizational unit protected account having the same type, the rules defined in the user protected account will always have priority, regardless of the policy configured in the UserLock server Properties.

    Examples:

    Alice is a member of a permanent user protected account 'Alice' allowing her two workstation sessions.
    Alice is also a member of a permanent Group protected account named 'Everyone' authorizing one workstation session. The same rule limiting the maximum number of workstation sessions has been defined. As a user protected account always has priority over a group or organizational unit protected account of the same type (permanent here), the rule applied will be 'two' workstation sessions granted.

    Bob is a member of a temporary protected account 'Bob' authorizing two workstation sessions. This temporary account is active.
    Bob is also a member of a temporary Group protected account named 'Group-A' authorizing one workstation session and this is also active.
    The same rule limiting the maximum number of workstation sessions is defined here on two temporary protected accounts. As a user protected account always has priority over a group or organizational unit protected account of the same type (temporary here), the rule applied will be 'two' workstation sessions granted.

 

The UserLock server policy applies only if groups/OU have the same priority level. If yes, if the UserLock server policy is:
- The least restrictive (default): If at least one protected account allows to connect, then the login will be allowed.
- Most restrictive: If at least the protected account refuses to connect, the connection will be refused.